Malware found hiding in a Windows Logo

Published:

The old Windows logo conceals a dangerous payload that could cause havoc on a network.

An old Windows logo was used by hackers to distribute malware to government targets by a group of hackers.

As The Register reports(Opens in a new window), the Witchetty espionage group (also known as LookingFrog) uses a range of tools to target governments, diplomatic missions, charities, and industrial/manufacturing organizations. Symantec’s Threat Hunter Team recently discovered that the group was using a “rarely seen” technique called steganography, which conceals malicious code within images.

Witchetty used an image of an old Windows logo. The malicious code inside is a Backdoor Trojan (Backdoor.Stegmap), which can execute a variety of system commands. It is possible to disguise the malicious payload using an image and hide it on trusted services for free. This will allow you to avoid detection as a security risk. Witchetty hosted this bitmap on GitHub in this instance.

After a target is compromised, the image is downloaded from GitHub. The payload can then be extracted (“decrypted using an XOR key”) from the target network and used to further infiltrate the system. Witchetty can “install web shells onto public-facing servers” after a successful attack. They can then steal credentials and install malware within an organization’s network.

Symantec claims that Witchetty’s latest toolkit, which includes this steganography technique, has been used by two Middle East government agencies and an African stock exchange. Symantec views the group as a threat actor capable of compromising targets of interest.

 

Related articles

Recent articles

[tds_leads title_text="Subscribe" input_placeholder="Your email address" btn_horiz_align="content-horiz-center" pp_checkbox="yes" pp_msg="SSd2ZSUyMHJlYWQlMjBhbmQlMjBhY2NlcHQlMjB0aGUlMjAlM0NhJTIwaHJlZiUzRCUyMiUyMyUyMiUzRVByaXZhY3klMjBQb2xpY3klM0MlMkZhJTNFLg=="]